Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
74s -
platform
windows7_x64 -
resource
win7 -
submitted
07/07/2020, 09:44
Static task
static1
Behavioral task
behavioral1
Sample
PO894749745.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PO894749745.exe
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
PO894749745.exe
-
Size
440KB
-
MD5
6d687e89130f81088fcbf8f302700c1b
-
SHA1
a9cba71526bbd7b1ff912774c1c5b623a90cff8a
-
SHA256
b258aed05413eb191250d2907db5b64c4f36fdb0508fb3c9c6390c4144fd9497
-
SHA512
8babb1e45e0bfde70bcb40c64478dc084fb0a94db8e79bc5e1f3428bf7af495daa1fb3747780664c47fb1b4555daff15021c82c7c8ab56849f77e91d4f549853
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PO894749745.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PO894749745.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions PO894749745.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools PO894749745.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 PO894749745.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PO894749745.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1496 wrote to memory of 1500 1496 PO894749745.exe 25 PID 1496 wrote to memory of 1500 1496 PO894749745.exe 25 PID 1496 wrote to memory of 1500 1496 PO894749745.exe 25 PID 1496 wrote to memory of 1500 1496 PO894749745.exe 25 PID 1496 wrote to memory of 1500 1496 PO894749745.exe 25 PID 1496 wrote to memory of 1500 1496 PO894749745.exe 25 PID 1496 wrote to memory of 1500 1496 PO894749745.exe 25 PID 1228 wrote to memory of 1788 1228 Explorer.EXE 26 PID 1228 wrote to memory of 1788 1228 Explorer.EXE 26 PID 1228 wrote to memory of 1788 1228 Explorer.EXE 26 PID 1228 wrote to memory of 1788 1228 Explorer.EXE 26 PID 1788 wrote to memory of 1772 1788 systray.exe 27 PID 1788 wrote to memory of 1772 1788 systray.exe 27 PID 1788 wrote to memory of 1772 1788 systray.exe 27 PID 1788 wrote to memory of 1772 1788 systray.exe 27 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1500 vbc.exe Token: SeDebugPrivilege 1788 systray.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1496 set thread context of 1500 1496 PO894749745.exe 25 PID 1500 set thread context of 1228 1500 vbc.exe 20 PID 1788 set thread context of 1228 1788 systray.exe 20 -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1500 vbc.exe 1500 vbc.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe 1788 systray.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1500 vbc.exe 1500 vbc.exe 1500 vbc.exe 1788 systray.exe 1788 systray.exe -
Uses the VBS compiler for execution 1 TTPs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\PO894749745.exe"C:\Users\Admin\AppData\Local\Temp\PO894749745.exe"2⤵
- Checks BIOS information in registry
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1496 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1500
-
-
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1788 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵PID:1772
-
-